Not only is Canada long overdue in its statutorily mandated review of PIPEDA, our federal privacy protection law, but it seems as though significant elements of the law may soon be undermined significantly, as the United States Trade Representative is reportedly pushing for strict limitations on privacy protections as part of the Trans Pacific Partnership that Canada recently joined.

Much has already been written about the copyright restrictions the USTR aims to foist on Canada and other signatories through the TPP. For Canada, these are particularly poignant, as they come right on the heels of Canada’s long and hard fought Copyright Modernization Act. The leaked IP Chapter of the TPP will force the Canadian government to undo much of the careful balancing that went in to the Copyright Act updates. More to the point, the TPP will force Canada to roll back many of the user-friendly provisions, add new many new oppressive powers that will threaten online innovation and user rights, while offering nothing at all for individual users to make the tradeoff worthwhile.

As bad as the IP Chapter may be, however, a still-to-be-leaked e-commerce chapter may have equally dramatic implications for consumer privacy. Given the cone of ultra secrecy that pervades TPP negotiations [reportedly, TPP drafts are now watermarked so that any future leaks can be traced back to their government of origin], it is not surprising that the e-commerce chapter has not yet seen the light of day. In spite of this, reports have emerged that provide some insight into what the chapter might contain.

Specifically, it sounds as if the USTR is seeking to ban any and all restrictions on trans border data flows except in some isolated, well-defined exceptions (it is unknown what these exceptions might be). This directly conflicts with foundational data protection standards such as the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, to which both Canada and the United States are signatories. The OECD Guidelines are the seminal data protection framework on which many of the world’s domestic privacy laws are based.

The Guidelines recognize the importance of minimizing restrictions on transborder data flows, but also the importance of ensuring privacy protection. Hence, the Guidelines permit ‘justified‘ obstacles to transborder data flows, as long as these are required to protect privacy or individual liberties.

By contrast, Inside U.S. Trade is reporting that the USTR is calling for an almost absolute ban on restrictions to transborder data flows, outside of a few very narrowly defined exceptions [paywall]. Under the reported U.S. proposal, companies will basically be tasked with coming up with their own privacy protections, which would then be binding upon them. This appears to impose on all TPP signatories the problematic ‘notice and consent‘ model which most commentators agree has largely failed since the United States adopted it as its primary mechanism for protecting privacy.

Second, the U.S. proposal would prevent countries from mandating companies to locate servers locally. Currently, under U.S. policy, it seems that Government agencies are not permitted to place any restrictions on server location, even where these agencies deem there is a pressing need for secure server locations. This conclusion appears premised on the assumption that there is no evidence of legitimate privacy concerns arising from server location in foreign countries.

The server location restrictions are problematic. The impetus behind them is to prevent countries from requiring U.S. companies to create domestic server banks. There have certainly been historic examples where state entities have expressed concerns over unjustified U.S. government access to domestic data through PATRIOT act powers or through quasi-legal surveillance programs such as the NSA’s Internet monitoring regime instituted under FISA. Others have argued that preventing companies from locating servers in the U.S. will not greatly secure data against these types of surveillance powers.

The question of whether privacy and security concerns over US-based server location are justified or not has been hotlydebated for many years. So hotly debated, that the principle itself is often lost in questions over its application to a specific factual matrix. The principle — that server location in some countries will surely put data at risk — appears unassailable, yet the TPP seems ready to throw out the baby with the bath water and put in place an absolute ban on domestic server requirements.

More problematic than the server location provisions, however, are reported attempts to impose the failed ‘notice and consent’ US model of privacy protection on any foreign company. Under this model, company accountability is apparently limited to what they choose to place in their privacy policies. Inside U.S. Trade reports that this proposal is strongly opposed by several TPP countries, led by Australia. Australia has reportedly offered a counter proposal would permit restrictions on inbound and outbound traffic, as long as these can be justified for a non-trade-related purpose such as privacy protection. This proposal seems to mirror the OECD Transborder Data Flow Guidelines, which seek to limit unjustified restrictions to what is necessary for privacy protection.

It is not clear to what extent this TPP obligation would apply in scenarios where there is a real and substantial connection between the company in question and Canada, or whether PIPEDA’s current restrictions on outsourcing of services (ensure, by contractual or other means, that the outsourced company will provide a comparable level of privacy protection, Principle 4.1.3) might run afoul of this provision. Nor is it clear where Canada stands on this proposal — Inside U.S. Trade reports that only one other TPP country is supporting the U.S. proposal at this time. All of this is troubling, particularly in light of the fact that companies will apparently have rights of action against any government they feel is not living up to its TPP obligations.

Comments

The proposed ban on keeping sensitive Canadian data in Canada is significant to more than just the legal profession: I expect my doctor, eHealth Ontario and anyone else who is a custodian of personal and sensitive health data to honour Canadian law.

I already have concerns about recommending certain services to my MP and city councilman: they both have personal and confidential information they want on-line, yet the on-line services are US-dominated and are subject to US warrantless inspection.

When I mentioned this to a colleague who’s being following the TPP for some time, he said

Any demand that private information about any citizen be stored in
another country’s facilities, where that country can freely access it is
not just a violation of privacy (which can be argued), it is a violation
of sovereignty. I suspect that will be the argument presented by a
number of other jurisdictions.

I think you are right that the restrictions on transborder storage are concerning. While, with respect to U.S. based storage, people argue back and forth on whether there is a greater risk of lawful access or not, but I think few law firms or other businesses with sensitive data would be sanguine with having their confidential information stored in China, or somewhere else where surreptitious access becomes a real threat.

I’m even more concerned with suggestions that the U.S. might be using the TPP to undermine _domestic_ privacy protections. Take this excerpt from the Inside U.S. Trade article:

Concerning privacy, the U.S. proposal contains a number of options that companies could use to ensure they are protecting sensitive personal data, including an enforceable “code of conduct.” Generally speaking, this approach would allow businesses themselves to come up with the best way to guard sensitive data, but then would make those business practices fully enforceable in some way by TPP governments.

This self-regulatory system does not work well, and would undermine the security of even locally stored data.